More bad WordPress, campaign switches from Nuclear EK to Angler EK

An ongoing malvertising attack that has been injecting malware into WordPress sites has now switched its malicious payload from a Nuclear exploit kit (EK) to an Angler EK.

Researcher Jerome Segura said a Wednesday Malwarebytes blog post that the payload switch occurred around Feb. 4 and that the campaign has also switched its url pattern from “admedia” to “megaadvertize.”

To evade honeypots and to insure the malware hits its intended target, the malicious url performs a fingerprint of the user's machine to check if they are running Internet Explorer browser and using a screen resolution greater than 800×600, the post said.

In one instance, Segura witnessed the malicious payload drop the TeslaCrypt ransomware.

Earlier this month, researchers noticed a spike in the number of compromised sites that were injected with malicious code attached to the end of legitimate JavaScript files.

Get SC Media delivered to your inbox

Whitepaper of the Day

Newswire

Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.